Passwords no longer secure enough, says expert


2 Feb 2005

Passwords have reached the end of their usefulness and will need to be replaced with more secure forms of access such as smart cards and digital signatures. That’s the view of Rafal Lukawiecki, a security specialist and director with the UK technology consultancy Project Botticelli.

“Most of the difficulties in security are based on the fundamental weakness of the password. There will always be vulnerabilities that exploit it,” he said. “It’s not difficult for someone to steal a password from a typical person working in a typical company.”

He cited recent a recent survey from RSA that found that many people would divulge their password in exchange for some form of treat. In addition, many people use the same passwords for multiple sites, he said. A potential hacker tactic would be not to try and crack the bank’s safety measures, but instead find out the code a user employs to access a less important website. According to Lukawiecki, there is a high probability that the passwords used for both are the same or similar, making them easy to guess. “The problem with a password is that it is secret information being reused,” he said.

Maintaining passwords is also a significant headache for IT departments, he claimed. “Almost no company wants to maintain an authentication system. What we need is ID management that works for everyone.”

A possible – and more secure – alternative would be a one-time password generator, which is a device that supplies the user with a different password that changes every time he or she wants to access a particular service. “One-time password systems are simple to deploy, but they only work well for a select set of companies that work together,” Lukawiecki pointed out.

Smart cards are much more secure but the problem is deploying them widely; here he suggested that the Government could have a role to play in ensuring that digital certificates are distributed among the Irish population, for example. There are precedents elsewhere: Malta, Malaysia and Costa Rica have introduced smart card systems.

Separately, Lukawiecki also claimed that much security spending is poorly targeted, with money set aside for the wrong things. “People spend an enormous amount of money building steel reinforcements for walls made of paper that a hacker can walk straight through,” he said. “People who work in the front lines of security have no idea what they should be spending their money on.”

Lukawiecki will be in Ireland to speak about this and other subjects in a free presentation entitled Holistic Security and Digital Trust which takes place on 9 February at Microsoft’s Leopardstown offices.

This seminar aimed at IT professionals charged with designing, deploying and administering secure and trustworthy electronic environments, to help them with putting in place a more structured, proactive defence. Lukawiecki will also cover different ways of assessing security requirements based on the risks that apply to an organisation. Those interested can register online at: www.microsoft.com/ireland/security/holisticsecurity.

By Gordon Smith